AI Security AI安全 6h ago Updated 1h ago 更新于 1小时前 49

148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet 148个伪装成学生代理的npm包将浏览器变成了DDoS僵尸网络

A campaign of 148 npm packages disguised as student web proxies created a DDoS botnet by hijacking visitors' browsers rather than compromising developer machines. The malware utilized two distinct modules: a remote script loader (G2) to execute HTTP floods against educational institutions, and a WebSocket flood generator (I2) to overwhelm proxy server infrastructure via control-plane exhaustion. Unlike typical supply chain attacks that trigger during installation, this threat remained dormant un 148个伪装成学生代理工具的npm包在5月期间将访问者浏览器转化为DDoS僵尸网络。 攻击者利用远程代码加载器(G2)和WebSocket洪水生成器(I2),针对学校服务器及Wisp代理协议后端发起控制平面与体积型攻击。 该活动未针对开发者安装阶段,而是潜伏于浏览器标签页中,通过无CORS预检和随机化参数绕过常规节流机制。 基础设施高度集中且暴露,操作者被推测为年轻群体,npm注册表在此事件中充当了恶意内容的免费托管平台。

75
Hot 热度
70
Quality 质量
65
Impact 影响力

Analysis 深度分析

TL;DR

  • A campaign of 148 npm packages disguised as student web proxies created a DDoS botnet by hijacking visitors' browsers rather than compromising developer machines.
  • The malware utilized two distinct modules: a remote script loader (G2) to execute HTTP floods against educational institutions, and a WebSocket flood generator (I2) to overwhelm proxy server infrastructure via control-plane exhaustion.
  • Unlike typical supply chain attacks that trigger during installation, this threat remained dormant until the user visited the proxy website, leveraging the npm registry merely as a distribution vector for web-based exploitation.
  • The attack exploited vulnerabilities in the deprecated wisp-server-node library, causing rapid allocation and teardown of connections that exhausted file descriptors and flooded logs on targeted servers.
  • Infrastructure analysis revealed a loosely organized operator cluster using a single IP address and juvenile naming conventions, highlighting significant gaps in npm’s rate-limiting and content moderation for newly published packages.

Why It Matters

This incident demonstrates a sophisticated evolution in supply chain attacks, shifting the target from developers to end-users by repurposing the package registry as a hosting platform for malicious web applications. It highlights critical security risks in the JavaScript ecosystem, particularly regarding the lack of runtime checks for client-side code executed via npm-distributed websites. For security practitioners, it underscores the necessity of monitoring not just for malicious code in dependencies, but for the misuse of registries to distribute web-based exploits that leverage browser capabilities for large-scale DDoS operations.

Technical Details

  • Distribution Mechanism: 148 npm packages (e.g., charlie-kirk, ilovefemboys) were published with no lifecycle hooks or native build scripts, functioning solely as landing pages for a proxy app branded "Lucide."
  • Module G2 (HTTP Flood): A remote script loader fetched JavaScript from a mutable GitHub repository via jsDelivr CDN without Subresource Integrity (SRI) checks. It executed a crude HTTP flood, sending one-megabyte POST requests every 500ms to targets like cdn.caan.edu, generating approximately 2 MB/s of upload traffic per visitor.
  • Module I2 (WebSocket Control-Plane Attack): This module connected to a Wisp endpoint (lunaron.top) and opened up to 1,024 WebSocket connections per browser tab. It sent valid Wisp CONNECT and CLOSE frames targeting localhost:1 on the remote server, forcing the server to allocate and tear down thousands of connections rapidly.
  • Exploitation of Legacy Libraries: The attack specifically targeted the deprecated wisp-server-node library, which failed to validate destination addresses or limit connection rates, leading to file descriptor exhaustion and log flooding on the proxy servers.
  • Infrastructure: The campaign was hosted on a single IP address (92.38.177.17) via G-Core Labs, with deployment accounts registered seconds apart, indicating a coordinated but technically immature operation.

Industry Insight

  • Registry Security Reevaluation: Organizations must recognize that npm packages can serve as vectors for web-based attacks even if they contain no malicious code at install time. Security tools should analyze the runtime behavior of hosted content, not just the static code in the package.
  • Client-Side Supply Chain Risks: The use of mutable CDNs (like jsDelivr pointing to main branches) without integrity checks allows attackers to update payloads dynamically. Developers and users should enforce strict Content Security Policies (CSP) and verify SRI hashes for all external scripts.
  • Deprecation and Maintenance Hygiene: The success of this attack relied on the continued use of deprecated libraries like wisp-server-node. Maintainers of widely used protocols and libraries must prioritize security patches and deprecation notices, while users should migrate away from known vulnerable implementations immediately.

TL;DR

  • 148个伪装成学生代理工具的npm包在5月期间将访问者浏览器转化为DDoS僵尸网络。
  • 攻击者利用远程代码加载器(G2)和WebSocket洪水生成器(I2),针对学校服务器及Wisp代理协议后端发起控制平面与体积型攻击。
  • 该活动未针对开发者安装阶段,而是潜伏于浏览器标签页中,通过无CORS预检和随机化参数绕过常规节流机制。
  • 基础设施高度集中且暴露,操作者被推测为年轻群体,npm注册表在此事件中充当了恶意内容的免费托管平台。

为什么值得看

本文揭示了供应链安全威胁的新范式:恶意软件不再局限于破坏构建流程或窃取开发者凭证,而是利用用户终端作为攻击跳板。这对理解现代Web应用的安全边界及第三方依赖的风险传导机制具有重要警示意义。

技术解析

  • 双模块攻击载荷:包含G2(远程脚本加载器)和I2(WebSocket连接生成器)。G2从GitHub/jsDelivr动态加载代码,缺乏完整性校验;I2配置浏览器建立大量WebSocket连接以执行特定协议帧。
  • 混合DDoS策略:一方面通过每500毫秒发送1MB数据的HTTP POST请求对目标学校服务器进行体积型洪水攻击;另一方面通过每秒数千次的Wisp CONNECT/CLOSE帧对代理后端进行控制平面资源耗尽攻击。
  • 协议滥用细节:利用Wisp协议的二进制模式,向localhost:1发送有效帧,迫使远端服务器处理无效连接请求,导致文件描述符耗尽和日志存储溢出。
  • 隐蔽性与持久化:包内无生命周期钩子,不触发安装时执行,而是等待用户打开网页后在React界面渲染前注入恶意逻辑,利用no-referrer策略隐藏来源。

行业启示

  • 重新评估npm包风险模型:传统安全扫描侧重于安装时的恶意脚本,需扩展至运行时行为分析,特别是针对那些看似无害但可能劫持用户浏览器资源的包。
  • 加强CDN与仓库托管安全:攻击者利用GitHub和jsDelivr等可信CDN分发恶意代码,表明即使来源可信的静态资源也可能被篡改,需强制实施SRI(子资源完整性)检查。
  • 关注“用户即资源”的攻击面:企业安全策略应意识到,恶意Web应用可能利用普通用户的带宽和计算能力发起攻击,需加强对前端应用加载外部脚本的严格管控和监控。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Open Source 开源